Legal and Ethics Workshop abstract
Introduction
This document provides a summary of the Legal and Ethical workshop which took place during the AISN Consortium Meeting in Interlaken.
GDPR Compliance
The following requirements stem from the General Data Protection Regulation (GDPR) and have to be concluded in the next year of the project.
- Identification of Data Protection Roles
The GDPR envisages three potential actors in a processing operation involving personal data. These actors are the data controllers, data processors and data subject.
- Data Subject(s) – the natural persons to whom the personal data relates.
- Data Controller(s) – the entity which alone or jointly with others determines the purposes and means of the processing of personal data.
- Data Processor(s) – the entity which processes personal data on behalf of the data controller(s). In most cases, processors provide the technical means to facilitate the processing of personal data on behalf of the data controller(s).
Once the protocols for the clinical trials have been established, the role of data controllers and data processors will be formally assigned. The responsibilities associated with these roles will be outlined in the Joint Controllership Agreement and the Data Processing Agreement.
In the context of the focus groups conducted in WP4, each clinical partner is the Data Controller of the personal data they collect or process in the context of the focus groups. The personal data of external participants will not be shared between the clinical partners.
- Joint Controllership Agreement (JCA)
Prior to the commencement of the clinical trials, UNIVIE will draft an agreement between the joint controllers. A joint controllership-relationship is formed when two or more entities jointly determine the means and purposes of personal data processing. In the context of the clinical trial, partners will jointly decide what personal data is processed, the means of processing and the reasons/objectives of processing. The agreement between the joint controllers will outline the roles and responsibilities of each controller, in accordance with Article 26 of the GDPR. Prior to the clinical trials, joint controllers will be required to review and sign this agreement.
- Data Processing Agreement (DPA)
Prior to the commencement of the clinical trials, UNIVIE will draft an agreement between the joint controllers and the data processors. This agreement shall outline the subject-matter, nature, duration, and purposes for personal data processing. Additionally, the DPA will outline the technical and organisational security measures to be implemented.
- Involvement of external data subjects
The consent of external data subjects/participants will form the legal basis for the processing of personal data. Therefore, consent forms will be required to inform the data subject and to obtain their informed and explicit consent. UNIVIE will review the consent forms provided by the clinical partners to ensure compliance with the GDPR.
Transparency of AI
Developers of AI-systems falling under the extensive scope of the upcoming AI-Act will have to comply with its transparency requirements. Article 13 AI-Act necessitates explainability to deployers of these systems, primarily in view of transparency obligations they have to fulfil themselves to end users (see Art 22 GDPR). This includes the provision of a manual containing instructions for use of the system.
Even though the AI Act in its entirety will not be applicable during the research phase (scientific research exception: Art 2 para 5a AI Act), once AISN-products are put on the market, these transparency obligations will have to be complied with. Therefore, explainability will have to be taken into consideration in the design-phase of AISN.
This includes being aware of the whole AISN-pipeline and as a result tailoring explainability to different recipients. Not only do clinicians and end-users need different kinds of information about the systems, given the potential transnational roll-out of AISN-systems, there might be cultural differences having to be considered as well.
Furthermore, several considerations about use cases inform legal and ethical standards of transparency. Such considerations might include confirmability by experts, potential benefits to patients, resource saving impact, importance of speed, reliability of non-AI alternatives, availability of medical expertise, ease of identifying patients from training data or, most importantly, direct risk to patient. The last consideration was found to be rather manageable regarding AISN and the use of RGS.
While there would need to be some kind of initial information about AISN’s products for users to give their informed consent, the preferable way to give out deeper information was found to be incorporation within the system itself in an approachable and “fun” manner. This would mitigate the potential danger of deployers and users not informing themselves properly about the workings of AISN’s products and would ensure transparency in a legal and ethical form.